Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

If you are using an older internet browser, new security restrictions mean that from Thursday, 7 June 2018, you may no longer be able to access our website. You will need to update your browser or use an alternative one. We apologise for the inconvenience but some older browsers are no longer secure enough for use on our website. Find out more here.

A complainant seeking $100,000 in damages for Westpac’s disclosure of a debit card statement to his employer has had his case dismissed by the Human Rights Review Tribunal.

The complainant was a chartered accountant employed by an accounting firm. He explained that a debit card issued by the firm was registered in his name and the statements were sent to his home address. He said the statements recorded personal transactions as well as work-related transactions and that the information should not have been disclosed to his employer.

The accountant said Westpac had breached principles 5 and 11 of the Privacy Act. Principle 5 says an agency shall take the necessary safeguards to protect personal information against loss and access, use, modification, or disclosure. Principle 11 says an agency shall not disclose personal information unless the agency believes the disclosure is for one of the purposes in connection with which the information was obtained.

Debit card dispute

In its decision, the Tribunal said the outcome of the case depended on whether the debit card was in effect the accountant’s personal card or whether it was for the purposes of his employment at the accounting firm.

Under the accounting firm’s instructions, Westpac issued debit cards to four of its team leaders, including the complainant. The firm said the cards were intended to be used from time to time to pay for work-related expenses such as coffees for team members. At the time the cards were issued, the firm credited $820 to each card.

The complainant said the card he was issued was not linked to his employer and the firm was not provided with, or did not seek any authority to obtain, information about it from Westpac.

But the accounting firm’s business manager said the requirement to account for expenses reconciliation purposes had been verbally communicated to the four team leaders, including the complainant, on a number of occasions. With the exception of the complainant, the other team leaders complied with the requirement and provided the firm with their expenditure information.

Cash advance

A month later, Westpac sent the complainant an account statement of the card’s transactions. This included details of a cash advance of $700 and a cash deposit for the same amount some days later.

The firm’s business manager who set up the four pre-paid debit cards with Westpac said she asked the bank to provide a copy of the complainant’s debit card statement for accounting reconciliation purposes and to ensure that the transactions recorded on it complied with the firm’s rules for the use of cash loaded onto the card.

She did this because, despite numerous requests, the complainant did not provide the information requested. The bank complied with the request.

The complainant then complained to Westpac that the disclosure of the debit card statement to the firm was a breach of the Privacy Act. In its initial response, Westpac said the release of the statement had happened in error. Westpac then contacted the firm and asked it to destroy or return the statement. The bank also apologised to the complainant.

After further consideration, the bank concluded the disclosure of the debit card statement to the complainant’s employer was justified because the card had been authorised by the employer. In other words, the accounting firm that employed the complainant had made it clear that it needed to maintain proper oversight of the transactions carried out using the debit card.

Sum for damages

The accountant took his complaint to the Tribunal. He nominated $100,000 as the sum for damages for emotional harm suffered and damage to his career and employment relationships, plus $4,000 for legal fees.

The Tribunal said in its decision the outcome of the case depended on whether the debit card was the complainant’s personal card, or whether it was for business purposes. The Tribunal overwhelming established it was for business purposes. It noted that in Westpac’s records, the transactions were recorded under the firm’s profile.

The Tribunal’s decision described the accountant as an opportunist. It noted what it called the “noticeably self-serving tone to (the complainant’s) evidence and his shutting of the eyes to the overwhelming evidence” that the card was provided to him for work purposes only.

The Tribunal members assessed the complainant as a person whose career aspirations at the firm had been thwarted by circumstances of his own making. The ‘error’ initially admitted by Westpac for sending a copy of the debit card statement to the employer had encouraged the complainant to seek a windfall financial gain.

It observed that it would be astonishing if a firm did not put in place conditions that required documentation to ensure oversight of spending and an audit trail to help with the calculation of expenses for tax purposes. The Tribunal found there had been no breach of an information privacy principle and dismissed the complainant’s case.

Comments

No one has commented on this page yet.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.